Gafgyt

Malware updated a month ago (2024-11-29T13:39:06.834Z)

Download STIX

Preview STIX

Gafgyt, also known as Bashlite, is a type of malware that targets Linux architecture operating systems with the primary intent to launch distributed denial of service (DDoS) attacks. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and upon entry, it can disrupt operations, steal personal information, or hold data for ransom. Gafgyt and similar botnets like Mirai predominantly dominate the IoT threat landscape, typically scanning IP addresses and domain names. They generate random IP addresses as scanning destinations and establish connections with command-and-control servers, awaiting instructions to launch coordinated attacks on targeted victims. In August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability tracked as CVE-2017-18368, impacting the end-of-life Zyxel P660HN-T1A router. This variant of Gafgyt uses the vulnerability to expand DDoS attacks on Linux-based systems. By downloading and executing malicious scripts, it establishes connections with command-and-control servers, readying itself to launch coordinated assaults. Another Gafgyt variant, designed to create denial of service (DoS) in Linux architectures, has been observed attacking the TP-Link flaw by downloading and executing a script file, retrieving Linux architecture execution files with the prefix filename "rebirth," and then compiling compromised target IP and architecture information into its initial connection message. However, unpatched devices remain at risk as threat actors continue to dispatch various botnets, including Moobot, Miori, AGoent, Gafgyt variants, and infamous Mirai botnet variants, which can compromise the devices for further nefarious activity such as DDoS attacks. Researchers from Fortiguard Labs Threat Research and ThreatLabz have noted multiple attacks focusing on this vulnerability, with the notorious Mirai and Gafgyt malware families driving the majority of these attacks. These botnets are known for turning devices into zombie-like members of their network, used to perform coordinated attacks on a large scale.

Description last updated: 2024-09-04T12:15:38.248Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mirai Botnet is a possible alias for Gafgyt. The Mirai botnet, a type of malware, is known for its ability to exploit vulnerabilities in various devices and systems. Mirai operates by infecting systems without the user's knowledge, often through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt	3
Bashlite is a possible alias for Gafgyt. Bashlite, also known as Gafgyt, is a type of malware that specifically targets Linux architecture operating systems. This malicious software is designed to infiltrate your system through dubious downloads, emails, or websites and can cause significant damage without your knowledge. Once Bashlite has	3
Kaiten is a possible alias for Gafgyt. Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Botnet

Ddos

Vulnerability

Linux

Bot

Exploit

Denial of Se...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mirai Malware is associated with Gafgyt. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quar	is related to	8
The Gafgyt Variant Malware is associated with Gafgyt. The Gafgyt variant is a malicious software that poses a significant threat to computer systems and devices. This malware can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information,	Unspecified	3
The Mozi Malware is associated with Gafgyt. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thous	Unspecified	2
The Moobot Malware is associated with Gafgyt. Moobot is a malicious software (malware) that is based on the Mirai platform. This malware was designed to infiltrate devices and systems, often through suspicious downloads, emails, or websites without user knowledge. Once inside a system, Moobot facilitated targeted attacks against various entitie	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-1389 Vulnerability is associated with Gafgyt. CVE-2023-1389 is a command injection vulnerability discovered in TP-Link Archer AX21 routers. This flaw in software design or implementation was publicly released in March of the year 2023 and has since been exploited by various malicious actors. Attack traffic through the vulnerable routers has bee	Unspecified	2

Source Document References

Information about the Gafgyt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	5 days ago	Engineering Workstations Fresh Malware Barrage
Trend Micro	16 days ago	Gafgyt Malware Broadens Its Scope in Recent Attacks
Securityaffairs	4 months ago	Zyxel fixed critical OS command injection flaw in multiple routers
BankInfoSecurity	8 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats
DARKReading	8 months ago	Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
Fortinet	8 months ago	Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread \| FortiGuard Labs
CERT-EU	a year ago	Securing Public Sector Against IoT Malware in 2024 \| Zscaler
CERT-EU	a year ago	Attackers Targeting Poorly Managed Linux SSH Servers
CERT-EU	2 years ago	DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU	2 years ago	Cybersecurity threatscape: year 2021 in review
SANS ISC	a year ago	Routers Targeted for Gafgyt Botnet [Guest Diary] - SANS Internet Storm Center
Securityaffairs	a year ago	Who is behind the Mozi Botnet kill switch?
Securityaffairs	a year ago	Gafgyt botnet is targeting EoL Zyxel routers
CERT-EU	a year ago	IoT security threats highlight the need for zero trust principles - Help Net Security
MITRE	2 years ago	Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
BankInfoSecurity	a year ago	Breach Roundup: Winter Vivern Hunting For Emails
Fortinet	2 years ago	2022 IoT Threat Review \| FortiGuard Labs
CERT-EU	2 years ago	New Strain of Sotdas Malware Discovered \| Qualys Security Blog
CERT-EU	2 years ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
CERT-EU	a year ago	Mirai Botnet’s New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught